Posts: 5,362
Threads: 2,998
Joined: Feb 2011
[attachment=10502]
What is Honeypot
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. They are closely monitored network decoys serving several purposes: they can distract adversaries from more valuable machines on a network, they can provide early warning about new attack and exploitation trends and they allow in-depth examination of adversaries during and after exploitation of a honeypot.
• Has no production value; anything going to/from a honeypot is likely a probe, attack or compromise
• Used for monitoring, detecting and analyzing attacks
• Does not solve a specific problem. Instead, they are a highly flexible tool with different applications to security
• A trap set to detect and deflect attempts at unauthorized use of information systems.
• It consist of a computer, data or a network site that appears to be part of a network but which is actually isolated & protected.
• Whatever they capture is supposed to be malicious & unauthorized.
An example of a honeypot is a system used to simulate one or more network services that you designate on your computer's ports. An attacker assumes you're running vulnerable services that can be used to break into the machine. This kind of honeypot can be used to log access attempts to those ports including the attacker's keystrokes. This could give you advanced warning of a more concerted attack
Etymology
The term "honeypot" is often understood to refer to the English children's character Winnie-the-Pooh, a stuffed bear who was lured into various predicaments by his desire for pots of honey.
During the Cold War it was an espionage technique, which inspired spy fiction. The term "honeypot" was used to describe the use of female to gain secret information. In a common scenario, a pretty female Communist agent would trick a male Western official into handing over secret information.
An alternative explanation for the term is a reflection of the sarcastic term for outhouses and other methods of collecting feces and other human waste in places that lack indoor plumbing. Honey is a euphemism for such waste, which is kept in a honeypot until it is picked up by a honey wagon and taken to a disposal area. In this usage, attackers are the equivalent of flies, drawn by the stench of sewage
History of Honeypot
The concept of the honeypot is not new. In fact as early as 1991, a number of publications expounded on concepts that were to be foundations of today’s honeypot development. Two publications in particular stood out:
1990/1991 The Cuckoo’s Egg and Evening with Berferd
Clifford Stoll was an astrophysicist turned systems manager at Lawrence Berkeley Lab. Due to a 75 percent accounting error was able to track down a hacker that was using their computers as a launching pad to hack hundreds of military, industrial, and academic computers in search of secrets. His book “The Cuckoo's Egg”, published in 1988, detailed his experiences through this 3 year incident where he observed the hacker and subsequently gathered information that led to the hackers arrest.
The other publication that was of particular note during this period was “An Evening with Berferd” by the well respected Internet Security expert, Bill Cheswick. In the paper, Mr. Cheswick describes how he and his colleagues set up their jail machine, also known as roach motel2 in which they chronicled a hackers movements and the bait and traps they used to lure and detect him.
1997 - Deception Toolkit
The Deception Toolkit is one of the original and landmark Honeypots. It is generally a collection of PERL scripts designed for UNIX systems that emulate a variety of known vulnerabilities. The concept put forward by the DTK is “deceptive defense” which now central in Honeypot concepts and implementations
1998 - CyberCop Sting
CyberCop Sting is a component of the CyberCop intrusion protection software family which runs on NT. Cybercop Sting has also been referred to as a “decoy server” for it can simulate a network containing several different types of network devices, including Windows NT servers, Unix servers and routers. Each of these decoys had the ability to track, record, and report intrusive activity to network and security administrators. As with the DTK, each of these decoys can run simulated services. However, as with the problem with most simulated or low-interaction Honeypots, you can only only simulate limited functionality with Cybercop sting such as telnet logins or SMTP banners thus limiting its ability to deceive and to study hackers in the long term.
1998 - NetFacade (and Snort)
As with Cybercop Sting, it creates a simulated network of hosts, with simulated IP addresses, running seemingly vulnerable services but in a much larger scale. NetFacade can simulate an entire class C network up to 254 systems. It can also simulate 7 different operating systems with a variety of different services.
1998 - BackOfficer Friendly
Back Officer Friendly runs in Windows and was free thus giving more people access to Honeypot technology. Though It didn’t give much functionality it was still a very useful piece of software which demonstrated the concepts of the Honeypot to a lot of people that who were not familiar to Honeypot concepts at that time.
1999 - Formation of the Honeynet Project 9
A group of people led by Lance Spitzner decided to form the Honeynet Project 9. The honeynet project is a non-profit group dedicated to researching the blackhat community and to share their work to others. Their primary tool for research is the honeynet, an advanced form of Honeypot.
2003- Some Honeypot Tools
In 2003, several important Honeypot tools were introduced through these organizations such as Snort-Inline12, Sebek13, and advanced virtual honeynets14.
Snort- Inline augmented Snort to block and disable attacks instead of just detecting them.
Sebek provided a means to capture hacker activities in Honeypots by logging their keystrokes.
Virtual honeynets provided a means to deploy multiple honeynets with just one computer.
Classification of Honetpot
• By level of interaction
High
Low
• By Implementation
Virtual
Physical
• By purpose
Production
Research
1). Level of Interaction
Interaction defines the level of activity a honeypot allows an attacker. There are two categories of interaction “Low Level “ & “High Level Interaction” which helps us understand what type of honeypot you are dealing with, its strengths, and weaknesses.
Low Interaction: Low-interaction honeypots have limited interaction, they normally work by emulating services and operating systems. Attacker activity is limited to the level of emulation by the honeypot.
Simulates some aspects of the system
Easy to deploy, minimal risk
Limited Information
Advantages
Its simplicity.
These honeypots tend to be easier to deploy and maintain, with minimal risk.
Usually they involve installing software, selecting the operating systems and services you want to emulate and monitor, and letting the honeypot go from there. This plug and play approach makes deploying them very easy for most organizations.
The emulated services mitigate risk by containing the attacker's activity, the attacker never has access to an operating system to attack or harm others.
Disadvantages
They log only limited information and are designed to capture known activity.
It’s easier for an attacker to detect a low-interaction honeypot, no matter how good the emulation is, skilled attacker can eventually detect their presence.
Examples of low-interaction honeypots include Specter, Honeyd, and KFSensor.
High Interaction: High-interaction honeypots are different; they are usually complex solutions as they involve real operating systems and applications. Nothing is emulated; we give attackers the real thing. If you want a Linux honeypot running an FTP server, you build a real Linux system running a real FTP server.
Simulates all aspects of the OS: real systems
Can be compromised completely, higher risk
More Information
Honey-net
Advantages
Extensive amounts of information can be captured. By giving attackers real systems to interact with, you can learn the full extent of their behavior, everything from new rootkits to international IRC sessions.
They make no assumptions on how an attacker will behave. Instead, they provide an open environment that captures all activity. This allows high-interaction solutions to learn behavior we would not expect.
Disadvantages
It increases the risk of the honeypot as attackers can use these real operating system to attack non-honeypot systems.
As result, additional technologies have to be implement that prevent the attacker from harming other non-honeypot systems